Configuring SQL Server Ports for SharePoint: Firewall Rules and Best Practices
Introduction
Microsoft SharePoint, whether deployed as a farm on-premises or in a hybrid setup, relies heavily on Microsoft SQL Server for its data storage and retrieval operations. SQL Server hosts a range of databases—configuration, content, service application, and search-related—which SharePoint constantly accesses to function correctly.
One critical aspect of a successful SharePoint deployment is ensuring that network communication between the SharePoint servers and the SQL Server is not blocked by firewalls. This article provides a comprehensive guide to configuring the necessary firewall rules for SQL Server, with a specific focus on SharePoint environments, including static vs. dynamic ports, PowerShell automation, and security considerations.
Default Ports Used by SQL Server
SQL Server uses different ports depending on how the instance is configured:
| Port | Protocol | Purpose |
|---|---|---|
1433 | TCP | Default port for SQL Server default instances |
1434 | UDP | Used by SQL Server Browser service for named instances |
Dynamic (e.g., 49152–65535) | TCP | Used by SQL Server named instances unless configured with static ports |
2383 | TCP | Default port for SQL Server Analysis Services (SSAS) |
2382 | TCP | Used by SQL Browser to redirect to SSAS |
135 | TCP | Used by Remote Procedure Call (RPC) for DCOM, useful in remote management |
4022 | TCP | Used by SQL Server Service Broker |
445, 139 | TCP | Used for SMB file sharing during backups or remote operations |
Note: It is best practice to assign static ports to SQL Server instances when used with enterprise systems like SharePoint to simplify firewall rule management.
Setting Static Ports for SQL Server Instances
To avoid dynamic port issues and simplify firewall configuration, configure SQL Server to use static ports:
- Open SQL Server Configuration Manager.
- Navigate to SQL Server Network Configuration > Protocols for [Instance Name].
- Double-click TCP/IP > Go to the IP Addresses tab.
- In the section for each IP (especially IPAll):
- Remove any values from
TCP Dynamic Ports. - Set
TCP Portto a static number (e.g.,14333).
- Remove any values from
- Restart the SQL Server service.
Now you can configure the firewall to allow only this port.
Creating Windows Firewall Rules (Manually)
On the SQL Server host machine:
- Open Windows Defender Firewall with Advanced Security.
- Click Inbound Rules > New Rule.
- Choose Port, then select TCP.
- Enter your port number (e.g.,
1433or14333). - Select Allow the connection.
- Apply to Domain, Private, and Public, as appropriate.
- Name the rule (e.g.,
SQL Server Port for SharePoint).
Repeat this for any other necessary ports like 1434 (UDP) if using named instances.
PowerShell Script to Configure SQL Server Firewall Ports
The following PowerShell script automates the creation of inbound firewall rules for SQL Server:
# Define the ports you want to open
$Ports = @(
@{ Name = "SQL Default Instance (TCP 1433)"; Port = 1433; Protocol = "TCP" },
@{ Name = "SQL Browser (UDP 1434)"; Port = 1434; Protocol = "UDP" },
@{ Name = "SQL Analysis Services (TCP 2383)"; Port = 2383; Protocol = "TCP" },
@{ Name = "SQL Service Broker (TCP 4022)"; Port = 4022; Protocol = "TCP" }
)
foreach ($port in $Ports) {
New-NetFirewallRule `
-DisplayName $port.Name `
-Direction Inbound `
-Protocol $port.Protocol `
-LocalPort $port.Port `
-Action Allow `
-Profile Domain,Private `
-Enabled True
}
Run this script as Administrator on your SQL Server machine.
Network-Level Firewall and DMZ Considerations
In larger environments with segmented networks or demilitarized zones (DMZs), firewall rules should be configured on hardware firewalls and not just Windows Firewall. In such cases:
- Whitelist only SharePoint front-end and application servers as allowed IP sources.
- Use least privilege by restricting unnecessary ports.
- Monitor traffic between tiers using network flow logs or intrusion detection systems.
Security Best Practices
- Never expose SQL Server ports to the internet.
- Use encryption (SSL/TLS) for SQL Server connections (via
Force Encryptionor certificates). - Enable Windows Authentication and avoid mixed-mode when possible.
- Isolate SQL Server via VLANs or subnetting where feasible.
- Use IPSec or firewall ACLs to enforce transport security between SharePoint and SQL.
Summary Table: SQL Server Ports for SharePoint Firewall Configuration
| Port | Protocol | Purpose | SharePoint Use Case | Static? | Required? |
|---|---|---|---|---|---|
| 1433 | TCP | Default SQL Server Instance | SharePoint DB connection | Yes | Yes |
| 1434 | UDP | SQL Browser for named instance discovery | When using named instances | Yes | If used |
| 2383 | TCP | Analysis Services (SSAS) | BI Integrations | Yes | Optional |
| 2382 | TCP | SSAS redirection | BI client redirect | Yes | Optional |
| 135 | TCP | RPC for remote management | SQL Admin Tools, remote mgmt | No | Optional |
| 445/139 | TCP | SMB (file sharing) | SQL backups, scripts, logs | No | Conditional |
| 4022 | TCP | Service Broker | Custom SharePoint solutions | Yes | Optional |
| Custom | TCP | User-defined static port | Hardened or named instance setups | Yes | Recommended |
edvaldo b. guimarães filho 